Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit a016262

Browse files
steelingsteeling
authored
cert rotation now ignores monotonic clock readings when checking expiration (#5012)
cert rotation now ignores monotonic clock readings when checking expiration (#5012) Signed-off-by: Sean Teeling <[email protected]>
1 parent 52bd5a7 commit a016262

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

pkg/certificate/manager.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -175,10 +175,14 @@ func (m *Manager) shouldRotate(c *Certificate) bool {
175175
intNoise := rand.Intn(noiseSeconds) // #nosec G404
176176
secondsNoise := time.Duration(intNoise) * time.Second
177177
renewBefore := RenewBeforeCertExpires + secondsNoise
178-
if time.Until(c.GetExpiration()) <= renewBefore {
178+
// Round is called to truncate monotonic clock to the nearest second. This is done to avoid environments where the
179+
// CPU clock may stop, resulting in a time measurement that differs significantly from the x509 timestamp.
180+
// See https://github.com/openservicemesh/osm/issues/5000#issuecomment-1218539412 for more details.
181+
expiration := c.GetExpiration().Round(0)
182+
if time.Until(expiration) <= renewBefore {
179183
log.Info().Msgf("Cert %s should be rotated; expires in %+v; renewBefore is %+v",
180184
c.GetCommonName(),
181-
time.Until(c.GetExpiration()),
185+
time.Until(expiration),
182186
renewBefore)
183187
return true
184188
}

pkg/debugger/certificate.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ func (ds DebugConfig) getCertHandler() http.Handler {
3434

3535
_, _ = fmt.Fprintf(w, "---[ %d ]---\n", idx)
3636
_, _ = fmt.Fprintf(w, "\t Common Name: %q\n", cert.GetCommonName())
37-
_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration()))
37+
_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration().Round(0)))
3838
_, _ = fmt.Fprintf(w, "\t Issuing CA (SHA256): %x\n", sha256.Sum256(ca))
3939
_, _ = fmt.Fprintf(w, "\t Trusted CAs (SHA256): %x\n", sha256.Sum256(trustedCAs))
4040
_, _ = fmt.Fprintf(w, "\t Cert Chain (SHA256): %x\n", sha256.Sum256(chain))
@@ -43,7 +43,7 @@ func (ds DebugConfig) getCertHandler() http.Handler {
4343
_, _ = fmt.Fprintf(w, "\t x509.SignatureAlgorithm: %+v\n", x509.SignatureAlgorithm)
4444
_, _ = fmt.Fprintf(w, "\t x509.PublicKeyAlgorithm: %+v\n", x509.PublicKeyAlgorithm)
4545
_, _ = fmt.Fprintf(w, "\t x509.Version: %+v\n", x509.Version)
46-
_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %x\n", x509.SerialNumber)
46+
_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %s\n", x509.SerialNumber)
4747
_, _ = fmt.Fprintf(w, "\t x509.Issuer: %+v\n", x509.Issuer)
4848
_, _ = fmt.Fprintf(w, "\t x509.Subject: %+v\n", x509.Subject)
4949
_, _ = fmt.Fprintf(w, "\t x509.NotBefore (begin): %+v (%+v ago)\n", x509.NotBefore, time.Since(x509.NotBefore))

0 commit comments

Comments
 (0)